Adds TSK output with amendment to cli, file writer format addition, a…

…nd the mft_analyzer directive.
rowingdude · Sep 17, 2024 · e48b84d · e48b84d
1 parent 0ecc181
commit e48b84d
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/src/analyzeMFT/cli.py b/src/analyzeMFT/cli.py
@@ -29,6 +29,8 @@ async def main():
                             help="Export as log2timeline CSV")
     export_group.add_option("--sqlite", action="store_const", const="sqlite", dest="export_format",
                             help="Export as SQLite database")
+    export_group.add_option("--tsk", action="store_const", const="tsk", dest="export_format",
+                            help="Export as TSK bodyfile format")
 
     parser.add_option_group(export_group)
 

diff --git a/src/analyzeMFT/file_writers.py b/src/analyzeMFT/file_writers.py
@@ -141,4 +141,16 @@ async def write_sqlite(records: List[MftRecord], output_file: str) -> None:
 
         conn.commit()
         conn.close()
-        await asyncio.sleep(0)
+        await asyncio.sleep(0)
+
+    @staticmethod
+    async def write_tsk(records: List[MftRecord], output_file: str) -> None:
+        with open(output_file, 'w', newline='', encoding='utf-8') as tskfile:
+            for record in records:
+                # TSK body file format:
+                # MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
+                tskfile.write(f"0|{record.filename}|{record.recordnum}|{record.flags:04o}|0|0|"
+                              f"{record.filesize}|{record.fn_times['atime'].unixtime}|"
+                              f"{record.fn_times['mtime'].unixtime}|{record.fn_times['ctime'].unixtime}|"
+                              f"{record.fn_times['crtime'].unixtime}\n")
+            await asyncio.sleep(0)
diff --git a/src/analyzeMFT/mft_analyzer.py b/src/analyzeMFT/mft_analyzer.py
@@ -249,6 +249,8 @@ async def write_output(self) -> None:
             await FileWriters.write_excel(list(self.mft_records.values()), self.output_file)
         elif self.export_format == "sqlite":
             await FileWriters.write_sqlite(list(self.mft_records.values()), self.output_file)
+        elif self.export_format == "tsk":
+            await FileWriters.write_tsk(list(self.mft_records.values()), self.output_file)
         else:
             print(f"Unsupported export format: {self.export_format}")